使用pdo和预处理语句登录的PHP代码
但不工作总是输入if numr_rows<=0
案例
session_start(); // Starting Session
$error=''; // Variable To Store Error Message
if (isset($_POST['submit'])) {
if (empty($_POST['username']) || empty($_POST['password'])) {
$error = "Username or Password is invalid";
}
else
{
// Define $username and $password
$username=$_POST['username'];
$password=$_POST['password'];
$stmt = DB::getInstance()->prepare("select * from tour_login where password=':password' AND username=':username'");
$stmt->bindParam(':username', $username);
$stmt->bindParam(':password', $password);
$stmt->execute();
$rows = $stmt->fetchAll();
$num_rows = count($rows);
if($num_rows<=0)
{
echo "<script>alert('No country Exist');
document.location='addcountry.php';</script>";
return false;
}
else
{
foreach ($rows as $row)
{
//echo "Entered successfull for loop";
if($row['type']==0)
{
$_SESSION['admn']=$username;
echo "<script>alert('welcome admin...');
document.location='home.php';</script>";
}
else
{
$_SESSION['usr']=$username;
echo "<script>alert('welcome user...');';</script>";
}
}
}
}
**如果准备好的陈述被注释掉并使用它,那就可以了。**
$result=DB::getInstance()->query("select * from tour_login where password='$password' AND username='$username'");
$rows = $result->fetchAll();
$num_rows = count($rows);
if($num_rows<=0)
{
echo "<script>alert('No country Exist');
document.location='addcountry.php';</script>";
return false;
}
else
{
foreach ($rows as $row)
{
//echo "Entered successfull for loop";
if($row['type']==0)
{
$_SESSION['admn']=$username;
echo "<script>alert('welcome admin...');
document.location='home.php';</script>";
}
else
{
$_SESSION['usr']=$username;
echo "<script>alert('welcome user...');';</script>";
}
}
}
}
我在准备好的陈述中做错了什么?。新到php
答案 0 :(得分:2)
你这样绑定:
$stmt = DB::getInstance()->prepare('SELECT ... WHERE password = :password AND username = :username');
$stmt->bindParam(':username', $username);
$stmt->bindParam(':password', $password);
没有引号围绕您的参数。它只是:password
,而不是':password'
。绑定不像将值插入字符串那样有效。占位符是值的实际占位符,数据库将自行确定这些是字符串,数字还是其他。